SolarWinds - How to create a chart for active WebVPN sessions. [TESTED]

Real quick. The same as I did before for AnyConnect sessions, but for a another OID - CISCO-REMOTE-ACCESS-MONITOR-MIB::crasWebvpnNumSessions.0 - 1.3.6.1.4.1.9.9.392.1.3.38.0 - The number of currently active Webvpn sessions.

The same as you can get from CLI:

ASA# show vpn-sessiondb webvpn

Session Type: WebVPN

Username     : username               Index        : 4
Public IP    : 172.16.1.2
Protocol     : Clientless
License      : AnyConnect Premium
Encryption   : Clientless: (1)RC4     Hashing      : Clientless: (1)SHA1
Bytes Tx     : 2686857                Bytes Rx     : 162442
Group Policy : DfltGrpPolicy          Tunnel Group : DefaultWEBVPNGroup
Login Time   : 18:02:49 UTC Fri Feb 6 2015
Duration     : 0h:06m:33s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

ASA#

Wireshark - How to enable SNMP OID resolution and add SNMP MIBs. [TESTED]

Modern version of Wireshark (Windows version) has a lot of basic MIBs in its folder “C:\Program Files\Wireshark\snmp\mibs”.

To enable OID resolution

• Edit > Preferences > Name Resolution > Enable OID resolution > Ok.
• Restart Wireshark.

To upload new MIBs

• Copy them to the “C:\Program Files\Wireshark\snmp\mibs”. Note, that a file should NOT contain file extension, for instance, if you download from Cisco.com CISCO-ENVMON-MIB.my you have to rename it to CISCO-ENVMON-MIB.
• Wireshark isn’t working good with MIBs, I mean even if you copied MIB into the folder you have to manually add its name to the MIB list: Edit > Preferences > Name Resolution > SMI (MIB and PIB) modules > Edit > New > Module name: just a file name > OK > OK.
• Restart Wireshark.

Cisco ASA - How to configure SNMP. [TESTED]

Quick note about Cisco ASA and SNMP…

SNMP MIBs and Traps on the ASA - Additional Information - The BEST official document that I’ve found - MUST READ.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.3 > Logging, SNMP, and Smart Call Home > SNMP > About SNMP:

The ASA, ASAv, and ASASM support SNMP read-only access through issuance of a GET request. SNMP write access is not allowed, so you cannot make changes with SNMP. In addition, the SNMP SET request is not supported.

In software versions 7.2(1), 8.0(2), and later, the interface information accessed through SNMP refreshes about every 5 seconds. As a result, we recommend that you wait for at least 5 seconds between consecutive polls.

RO Access for SNMP Polling

conf t
 clear configuration snmp-server
 snmp-server host management 192.168.1.1 community COMMUNITY version 2c

There are so many options, but I want to mention only one - ACL. Recently I tried to apply extended named ACL in Catalyst switches and depends on SW version I got the following:

% The access list could not be allocated or an access list with the same name but incompatible type already exists.

Or:

Access-list type conflicts with prior definition

So, you have to use standard ACL (normal/expanded range or named):

ip access-list standard SNMP_ACL
 permit 192.168.1.1
 deny any log

snmp-server community COMMUNITY RO SNMP_ACL

SNMP traps toward NMS

In addition to the previously configured command:

conf t
 snmp-server enable traps all

Cisco IOS - How to configure SNMP traps for linkup/down. [TESTED]

To faster copy/paste:

snmp-server trap-source Vlan1
snmp-server enable traps snmp linkup linkdown
snmp-server host 192.168.1.1 version 2c SNMP_COMMUNITY

Admin area